CVE-2020-8860

Name of the Vulnerable Software and Affected Versions Samsung Galaxy S10 Firmware versions G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0)

Description This issue allows remote attackers to execute arbitrary code on affected devices. The exploitation requires user interaction, specifically answering a phone call. The flaw exists within the Call Control Setup messages due to the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this to execute code in the context of the baseband processor.

Recommendations For Samsung Galaxy S10 Firmware version G973FXXS3ASJA, update to a version that fixes the issue with proper validation of user-supplied data length. For Samsung Galaxy S10 Firmware versions O(8.x), P(9.0), Q(10.0), ensure that all Call Control Setup messages are properly validated to prevent stack-based buffer overflow. As a temporary workaround, consider restricting or disabling the handling of Call Control Setup messages until a patch is available.